28 Jul Cookie: (new) guidelines issued by the Italian Data Protection Authority

 

Background

At the end of the public consultation launched in December 2020[1], the Italian Data Protection Authority (“Garante”) took a final decision on cookies, announcing the forthcoming publication of its guidelines concerning cookies and other tracking tools (original version: Linee guida cookie e altri strumenti di tracciamento – 10 giugno 2021) (“Guidelines”) and the related summary sheet (original version: Scheda di sintesi).

Before delving into the contents of the Guidelines, it must be pointed out that organizations have six months to comply with the new provisions (this period starts from 9 July 2021, the day the Guidelines were published in the Official Journal, i.e., “Gazzetta Ufficiale”)[2].

 

Key contents

The legal basis

As far as the legal basis is concerned, at the national level, the legislative provision of reference is Article 122 of Legislative Decree 196/2003 (“Personal Data Protection Code”), which transposes the provisions of the ePrivacy Directive[3], as integrated on some aspects by the provisions of the Regulation (UE) 2016/679 (“GDPR”), such as for example, the consent requirements[4]. In this respect, the Garante confirms what was already stated by the other European Data Protection Authorities and by the European Data Protection Board in the Guidelines 5/2020 on consent[5]: hence, consent to the use of cookies shall respect the conditions set forth in the GDPR.

In view of the above, the Garante specified that legitimate interest according to Article 6(1)(f) GDPR cannot be considered a valid legal basis to install or read cookies or other tracking technologies on a user’s device. Therefore, the consent of the user to the use of cookies is necessary unless the use of cookies is justified by exceptions that, in any case, cannot be based on legitimate interest.

 

The classification of cookies. Other tracking tools

The “subjective” difference (between different types of cookies), as already established in the previous legal framework, is maintained:

• first-party cookies (or publishers’ cookies), directly installed by the website the user is visiting;
• third-party cookies, meaning cookies installed by different web servers from the one visited by the user.

Moreover, having regard to their duration, the difference between session cookies and persistent cookies is confirmed. Another classification is the one based on the “purpose” pursued with the installation of the cookies; based on that, the cookies may be:

• technical, when the cookies are used only to carry out the transmission of a communication over an electronic communications network, or to the extent strictly necessary in order to provide an information society service explicitly requested by the subscriber or user;
• profiling, when the cookies are aimed at creating user profiles, tracing specific actions or behavioural patterns recurring in the use of functionalities back to specific identified or identifiable subjects. More specifically, profiling cookies allow different profiles to be grouped together within homogeneous clusters, so that it is possible for the data controller, among other things, to modify the provision of the service in an increasingly personalized manner beyond what is strictly necessary for the provision of the service (e.g. to send advertising messages in line with the preferences expressed by the user while surfing the web)[6].

That being said, it is important to underline that the Guidelines shall be applied to the cookies and to other (active) tracking tools and “passive” identifiers as well, e.g., the fingerprinting – hereinafter referred to as “cookies”.

With regard to the above, the distinction of cookies between “technical” and “profiling” is the more relevant one as to the legal requirements to abide by, considering that the prior and unambiguous consent shall not be collected as far as the former type of cookies is concerned.

 

The manner of acquisition of the consent and withdrawal

• Scrolling

The Guidelines do not categorically exclude the possibility of giving consent by means of scrolling down techniques, provided that this technique is only one of the components of the process of consent collection and that it is possible for the user to indicate the provision of their unambiguous and informed choice to the website manager. In any case, this choice should be, at the same time, registerable and therefore documentable (see section 6.1 of the Guidelines).

• Cookie banner

The cookie banner – not required when using only technical cookies – is confirmed as a valid tool to acquire the consent. To this purpose, the banner must:

• include the link to the privacy policy/general information notice, in which the information ex Articles 12 and 13 of the GDPR must be provided with;
• contain a short information notice on the cookies used;
• have a control, like an “X” to the top right, in order to allow the user to surf through the website without giving the consent for the activation of non-technical cookies;
• inform that the closing of the banner with the aforementioned “X” allows for the surfing on the website without the activation of non-technical cookies;
• include the link to another landing page where it is possible to manage preferences specifically, even by grouping cookies per homogeneous categories. These preferences must be set by default on the refusal to the activation of the cookies;
• include the control to accept the installing of all the non-technical tracking tools.

 

The user shall not be solicited in expressing his consent, as a rule, before 6 months from the presentation of the banner.

• Other methods. The registered users

The website manager can freely implement other mechanisms to acquire the consent: thus, for example, towards the users that access to the services through the authentication, the obligations could be fulfilled since the moment of the registration; to these users shall be offered the choice to accept (or not) the tracking carried out by crossed analysis of the conducts/behaviours held in different devices – and this should also be referred to in the cookie banner.

• Withdrawal of the consent and changing of the preferences

The users shall be granted with the possibility to change, at any time, the choices made – in both negative and positive terms.

This shall be done through a dedicated area on the website accessible via a link placed in the footer of each page of the site; this area shall also be accessible via the cookie banner (as mentioned in point 5) above).

 

Some further clarifications and details

• Cookie wall

The use of the cookie wall is, in general, forbidden, unless the website manager offers the user the possibility of accessing an equivalent content or service; this should be checked on a case-by-case basis.

• Analytical cookies

The analytical cookies are equivalent to the technical cookie only if:

• they are used only to conduct aggregate statistical analyses related to a single website or app of the publisher;
• it is masked, for the third-party cookies, at least the fourth component of the IP address version 4 e 6;
• third parties are prevented from combining analytical cookies, minimised as abovementioned, with other processing and from transferring them to other third parties. Third parties are permitted to produce statistics with data from multiple domains, websites or apps that can be traced back to the same publisher[7].

Exception: in the absence of the aforementioned minimisation measures, statistical analyses relating to several domains, websites or apps of the same controller are permitted, provided that the controller carries out the statistical processing itself and that the processing does not lead to commercial decisions.

• Information notice

The privacy policy of the publishers as well will need to be properly updated to include, amongst other, the retention periods of the information collected through the cookies.

 

Practical implications

In conclusion, in the next six months, it will be necessary to adapt the systems in order to make the use of cookies and other tracking technologies, including the passive ones, compliant with the new Guidelines.

As for the consents already collected and until the completion of the compliance activities, they remain valid if they are in line with the requirements of the GDPR, for which the consent must be free, informed, unambiguous, specific and documented (including by means of electronic evidence).

 

Notes:

[1] Garante’s press release: Cookie: il Garante privacy avvia una consultazione pubblica sulle regole per il loro uso, https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9501006.

[2] The “Linee guida cookie e altri strumenti di tracciamento – 10 giugno 2021” have been issued and published in the Official Journal No. 163 on 9^th July, 2021, https://www.gazzettaufficiale.it/eli/gu/2021/07/09/163/sg/pdf.

[3] Directive 2002/58/CE of the European Parliament and the Council of 12^th July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“Directive on privacy and electronic communications”), as amended by Directive 2006/24/CE and by Directive 2009/136/CE; it is also known as “e-Privacy Directive”. It is qualified as lex specials in relation to the GDPR: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058.

[4] As a matter of fact, Article 2 of the e-Privacy Directive – the aforementioned Directive – states that any consent released pursuant to this provision “corresponds to the […] consent in Directive 95/46/EC”. Since the Directive 95/46/CE was repealed, it is necessary to refer to consent requirements as set out in Regulation EU 2016/679. As to this topic, see also Recital (17) of the e-Privacy Directive (“[…] For the purposes of this Directive, consent […] should have the same meaning as the data subject’s consent as defined and further specified in Directive 95/46/EC”) and EDPB’s Guidelines 05/2020 on consent under Regulation EU 2016/679.

[5] EDPB “Guidelines 05/2020 on consent under Regulation 2016/679” adopted on 4^th May 2020: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en.

[6] See Section 4 of the “Linee guida cookie e altri strumenti di tracciamento – 10 giugno 2021”.

[7] See:

• Section “Cookie analytics prime e terze parti” of the summary sheet of the “Linee guida cookie e altri strumenti di tracciamento – 10 giugno 2021” (Italian version): https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb display/docweb/9679270
• Section 7.2 of the “Linee guida cookie e altri strumenti di tracciamento – 10 giugno 2021”.